module/ConfigurationProvider/ControlConfigurations/Subscription/SubscriptionCore.json
|
{
"FeatureName": "SubscriptionCore", "Reference": "aka.ms/azsktcp/sshealth", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_Subscription_AuthZ_Remove_Deprecated_Accounts", "Description": "Deprecated/stale accounts must not be present on the subscription", "DisplayName": "Remove Orphaned accounts from your subscription(s)", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Id": "SubscriptionCore130", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckDeprecatedAccountsRBAC", "AssessmentName": "1ff0b4c9-ed56-4de6-be9c-d7ab39645926", "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "1ff0b4c9-ed56-4de6-be9c-d7ab39645926" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be", "Recommendation": "Steps to remove role assignments of deprecated/invalid accounts are: a. To remove permanent role assignment use command 'Remove-AzRoleAssignment' or refer link, https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove#azure-portal b. To remove classic role assignments, refer link: https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#remove-a-co-administrator c. To remove PIM role assignments, refer link https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user?tabs=new#update-or-remove-an-existing-role-assignment. For bulk remediation of permanent and classic role assignments using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_AuthZ_Remove_Deprecated_Accounts.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotP1", "CSEOPilotSub" ], "ControlSettings": { "DeprecatedAccounts": "" }, "Enabled": true, "DataObjectProperties": [ "ObjectId", "ObjectType", "Scope" ], "FixControl": { "FixControlImpact": "Medium", "FixMethodName": "RemoveDeprecatedAccounts" }, "PolicyDefinitionGuid": "8d7e1fde-fe26-4b5f-8108-f8e432cbc2be", "Rationale": "Deprecated accounts are ones that were once deployed to your subscription for some trial/pilot initiative (or some other purpose). These are not required any more and are a standing risk if present in any role on the subscription.", "CustomTags": [ "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "P2", "Wave3", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:Old_accts" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities", "Description": "Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription)", "Id": "SubscriptionCore140", "DisplayName": "Remove external accounts from Azure subscriptions", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "AssessmentName": "", "PolicyDefinitionId": "", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckNonAADAccountsRBAC", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "DataObjectProperties": [ "ObjectId", "RoleDefinitionId", "SignInName", "Scope" ], "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a subscription subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled. Etc.", "CustomTags": [ "ActiveBaseline", "TenantBaseline", "P0", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "Wave1", "TRWave4", "TRPreview", "TRBaseline", "EDPreview", "SMTPreview", "SN:ExternalAccounts" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities_Privileged_Roles", "Description": "Do not grant privileged permissions at the subscription scope to external accounts (i.e., accounts outside the native directory for the subscription)", "Id": "SubscriptionCore370", "DisplayName": "Remove external accounts with privileged roles at subscription scope", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckNonAADAccountsPrivilegedRolesRBAC", "ControlScanSource": "Reader", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{roleDefinitionName}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore", "Baseline" ], "Enabled": true, "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a subscription subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled.", "ControlSettings": { "PrivilegedRoles": [ "User Access Administrator", "Owner", "Contributor" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_Subscription_MFA_Should_Be_Enabled_OwnerAccounts", "Description": "MFA must be enabled on accounts with Owner permissions on your subscription.", "Id": "SubscriptionCore141", "DisplayName": "All user accounts must use MFA.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "AssessmentName": "94290b00-4d0c-d7b4-7cea-064a9554e681", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "94290b00-4d0c-d7b4-7cea-064a9554e681" ] }, "PolicyDefinitionId": "", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "Tags": [ "Automated", "AuthZ", "SubscriptionCore", "ExcludedControl", "Baseline" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_Subscription_MFA_Should_Be_Enabled_WriteAccounts", "Description": "MFA must be enabled accounts with write permissions on your subscription.", "Id": "SubscriptionCore142", "DisplayName": "All user accounts must use MFA", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "AssessmentName": "57e98606-6b1e-6193-0e3d-fe621387c16b", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "57e98606-6b1e-6193-0e3d-fe621387c16b" ] }, "PolicyDefinitionId": "", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "Tags": [ "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_Subscription_AuthZ_Limit_ClassicAdmin_Count", "Description": "Limit access per subscription to 2 or less classic administrators", "Id": "SubscriptionCore160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCoAdminCount", "DisplayName": "Limit access per subscription to 2 or less classic administrators", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' and select the 'Classic Administrators' tab. (e) Select the co-administrator account that has to be removed and click on the 'Remove' button. (f) Perform this operation for all the co-administrators that need to be removed from the subscription.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "NoOfClassicAdminsLimit": 2, "EligibleClassicRoles": [ "CoAdministrator", "ServiceAdministrator" ] }, "Rationale": "The v1 (ASM-based) version of Azure resource access model did not have much in terms of RBAC granularity. As a result, everyone who needed any access on a subscription or its resources had to be added to the Co-administrator role. These individuals are referred to as 'classic' administrators. In the v2 (ARM-based) model, this is not required at all and even the count of 2 classic admins currently permitted is for backward compatibility. (Some Azure services are still migrating onto the ARM-based model so creating/operating on them needs 'classic' admin privilege.)", "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "TenantBaseline", "P1", "Wave7", "CSEOPilot", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:Subscription_AdminCount" ] }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Management_Certs", "Description": "Management certificates are classic methods for automation on Azure subscription but are risky because the hygiene tends to be laxed and can easily be compromised.", "Id": "SubscriptionCore170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "DisplayName": "Do not use management certificates", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "2acd365d-e8b5-4094-bce4-244b7c51d67c" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "AssignmentNotFound", "EffectiveVerificationResult": "Passed", "AppendMessageToStatusReason": "NOTE: MDC assessment is available only if there is at least one management certificate in the subscription. Since, MDC assessment result for this policy was not found, we are marking this control as Passed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Recommendation": "You need to remove any management certificates that are not required. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to Settings tab --> Management Certificates tab --> Delete unwanted management certificates.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "GraphRead", "SubscriptionCore", "Baseline" ], "Enabled": false, "Rationale": "Just like classic admins, management certificates were used in the v1 model for script/tool based automation on Azure subscriptions. These management certificates are risky because the (private) key management hygiene tends to be lax. These certificates have no role to play in the current ARM-based model and should be immediately cleaned up if found on a subscription. (VS-deployment certificates from v1 timeframe are a good example of these.)", "CustomTags": [ "TenantBaseline", "P0", "Wave5", "SN:mgmt_Cert", "MSD", "Prod", "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_Subscription_Audit_Resolve_MDC_Alerts", "Description": "Resolve active Microsoft Defender for Cloud (MDC) alerts of medium severity or higher.", "Id": "SubscriptionCore190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterAlerts", "DisplayName": "Resolve active Microsoft Defender for Cloud (MDC) alerts of medium severity or higher", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Recommendation": "You need to address all active alerts on Microsoft Defender for Cloud. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to 'Microsoft Defender for Cloud'. (c) Click on 'Security alerts'. (d) Take appropriate action on all active alerts. NOTE: Subscription level access like (Contributor/Owner/Co-administrator/Security-administrator) is required to see all MDC alerts", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotP1", "CSEOPilotSub" ], "ControlSettings": { "MDCAlertsGraceInDays": { "High": 0, "Medium": 30 } }, "ControlEvaluationDetails": { "RequiredProperties": [ "MDCAlerts" ] }, "Enabled": true, "Rationale": "Based on the policies that are enabled in the subscription, Microsoft Defender for Cloud raises alerts (which are typically indicative of resources that MDC suspects might be under attack or needing immediate attention). It is important that these alerts/actions are resolved promptly in order to eliminate the exposure to attacks.", "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave7", "CAIPreview", "EDPreview", "SMTPreview", "SN:Subscription_SecurityAlerts" ] }, { "ControlID": "Azure_Subscription_AuthZ_Custom_RBAC_Roles", "Description": "Do not use custom-defined RBAC roles", "Id": "SubscriptionCore250", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCustomRBACRolesPresence", "Recommendation": "Run command 'Remove-AzRoleDefinition -Id {id}'. Run 'Get-Help Remove-AzRoleDefinition -full' for more help.", "DisplayName": "Do not use custom-defined RBAC roles", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Weekly" ], "Enabled": true, "Rationale": "Custom RBAC role definitions are usually tricky to get right. A lot of threat modeling goes in when the product team works on and defines the various 'out-of-box' roles ('Owners', 'Contributors', etc.). As much as possible, teams should use these roles for their RBAC needs. Using custom roles is treated as an exception and requires a rigorous review.", "CustomTags": [], "ControlSettings": { "ApprovedCustomRBACRoles": [] } }, { "ControlID": "Azure_Subscription_SI_Classic_Resources", "Description": "Do not use any classic resources on a subscription", "Id": "SubscriptionCore260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfClassicResources", "Recommendation": "Migrate each v1/ASM-based resource in your app to a corresponding v2/ARM-based resource. Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "DisplayName": "Remove classic resources on a subscription", "Category": "Migrate from Classic to ARM model", "ControlRequirements": "Secure management and deployment models must be used", "Enabled": true, "PolicyDefinitionGuid": "37e0d2fe-28a5-43d6-a273-67d37d1f5606", "Rationale": "You should use new ARM/v2 resources as the ARM model provides several security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment/governance, access to managed identities, access to key vault for secrets, AAD-based authentication, support for tags and resource groups for easier security management, etc.", "ControlSettings": { "ClassicResourceTypes": [ "Microsoft.ClassicCompute/virtualMachines", "Microsoft.ClassicStorage/storageAccounts", "Microsoft.ClassicCompute/domainNames", "Microsoft.ClassicNetwork/virtualNetworks", "Microsoft.ClassicNetwork/reservedIps", "Microsoft.ClassicNetwork/networkSecurityGroups", "Microsoft.MarketplaceApps/classicDevServices" ] }, "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "TenantBaseline", "P1", "Wave6", "CSEOPilot", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:Sub_RBAC" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access", "Description": "Do not grant permanent access for Subscription level roles", "Id": "SubscriptionCore281", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPermanentRoleAssignments", "DisplayName": "Do not grant permanent access for Subscription level roles", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Use Privileged Identity Management (PIM) to grant access to privileged roles at subscription scope. To remove existing assignments run: 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName {RoleDefinitionName}'. Refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#assign-roles.", "Tags": [ "SDL", "Automated", "Access", "AuthZ", "SubscriptionCore", "Baseline" ], "Enabled": true, "Rationale": "Permanent access increase the risk of a malicious user getting that access and inadvertently impacting a sensitive resource. To minimize this risk ensure that critical resources present in subscription are accessed only by the legitimate users when required. PIM facilitates this by limiting users to only assume higher privileges in a just in time (JIT) manner (or by assigning privileges for a shortened duration after which privileges are revoked automatically).", "ControlSettings": { "AllowedPIMRoles": [ "Azure Front Door Domain Contributor", "Azure Front Door Domain Reader", "Azure Front Door Profile Reader", "Azure Front Door Secret Contributor", "Azure Front Door Secret Reader", "Defender for Storage Data Scanner", "AzureML Compute Operator", "Cognitive Services Usages Reader", "Key Vault Crypto Service Release User", "ServiceAdministrator", "CoAdministrator", "AccountAdministrator", "ServiceAdministrator;AccountAdministrator", "ServiceAdministrator;CoAdministrator", "CoAdministrator;AccountAdministrator", "CoAdministrator;ServiceAdministrator", "AccountAdministrator;ServiceAdministrator", "AccountAdministrator;CoAdministrator" ], "AllowedPIMRoleIds": [ "0ab34830-df19-4f8c-b84e-aa85b8afa6e8", "0f99d363-226e-4dca-9920-b807cf8e1a5f", "662802e2-50f6-46b0-aed2-e834bacc6d12", "3f2eb865-5811-4578-b90a-6fc6fa0df8e5", "0db238c4-885e-4c4f-a933-aa2cef684fca", "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", "bba48692-92b0-4667-a9ad-c31c7b334ac2", "08bbd89e-9f13-488c-ac41-acfcb10c90ab" ], "AllowedIdentityDisplayNames": [ "MS-PIM" ], "ExemptedPIMGroupsPattern": "JIT_(.)*_ElevatedAccess" }, "CustomTags": [ "Daily", "SN:JIT_Sub" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access_RG", "Description": "Do not grant permanent access at Resource Group level", "Id": "SubscriptionCore282", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRGLevelPermanentRoleAssignments", "DisplayName": "Do not grant permanent access at Resource Group level", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Use Privileged Identity Management (PIM) to grant access to privileged roles at resource group scope. To remove existing assignments run: 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}/resourceGroups/{resourceGroupName}' -RoleDefinitionName {RoleDefinitionName}'. Refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#assign-roles.", "Tags": [ "SDL", "Automated", "Access", "AuthZ", "SubscriptionCore", "RGPersistentAccess", "Baseline" ], "Enabled": true, "ControlSettings": { "AllowedPIMRoles": [ "Azure Front Door Domain Contributor", "Azure Front Door Domain Reader", "Azure Front Door Profile Reader", "Azure Front Door Secret Contributor", "Azure Front Door Secret Reader", "Defender for Storage Data Scanner", "AzureML Compute Operator", "Cognitive Services Usages Reader", "Key Vault Crypto Service Release User" ], "AllowedPIMRoleIds": [ "0ab34830-df19-4f8c-b84e-aa85b8afa6e8", "0f99d363-226e-4dca-9920-b807cf8e1a5f", "662802e2-50f6-46b0-aed2-e834bacc6d12", "3f2eb865-5811-4578-b90a-6fc6fa0df8e5", "0db238c4-885e-4c4f-a933-aa2cef684fca", "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", "bba48692-92b0-4667-a9ad-c31c7b334ac2", "08bbd89e-9f13-488c-ac41-acfcb10c90ab" ], "AllowedIdentityDisplayNames": [ "MS-PIM" ], "ExemptedPIMGroupsPattern": "JIT_(.)*_ElevatedAccess" }, "Rationale": "Permanent access increase the risk of a malicious user getting that access and inadvertently impacting a sensitive resource. To minimize this risk ensure that critical resources present in resource group are accessed only by the legitimate users when required. PIM facilitates this by limiting users to only assume higher privileges in a just in time (JIT) manner (or by assigning privileges for a shortened duration after which privileges are revoked automatically).", "CustomTags": [ "Daily", "SN:JIT_Resource" ] }, { "ControlID": "Azure_Subscription_Config_Add_Required_Tags", "Description": "Mandatory tags must be set per your organization policy", "Id": "SubscriptionCore290", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMandatoryTags", "DisplayName": "Mandatory tags must be set per your organization policy", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags#portal", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline", "Weekly", "SubscriptionCore" ], "Enabled": true, "Rationale": "Certain tags are expected to be present in all resources to support enterprise wide functions (e.g., security visibility based on environment, security scanning, cost optimization, etc.). The script checks for presence of such 'mandatory' and 'scenario-specific' tags. ", "ControlSettings": { "ExcludeResourceGroupsPattern": [ "ERNetwork-[0-9]", "ERvNet.*", "ERNetwork.*", "defaultresourcegroup-*", "NetworkWatcherRG" ], "MandatoryTags": [ { "Name": "Env", "Type": "string", "Values": [ "Production", "Pre-Production" ], "ValidateTagValueType": false, "IgnorePatternWhitespaceForTagName": true, "Scope": "ResourceGroup" }, { "Name": "ComponentID", "Type": "Guid", "Values": [], "ValidateTagValueType": true, "IgnorePatternWhitespaceForTagName": true, "Scope": "ResourceGroup" }, { "Name": "Env", "Type": "string", "Values": [ "Production", "Pre-Production" ], "ValidateTagValueType": false, "IgnorePatternWhitespaceForTagName": true, "Scope": "Subscription" }, { "Name": "ComponentID", "Type": "Guid", "Values": [], "ValidateTagValueType": true, "IgnorePatternWhitespaceForTagName": true, "Scope": "Subscription" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "RequiredTags" ] }, "CustomTags": [] }, { "ControlID": "Azure_Subscription_Config_MDC_Defender_Plans", "Description": "Enable all Azure Defender plans in Microsoft Defender for Cloud", "Id": "SubscriptionCore300", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [ "56a6e81f-7413-4f72-9a1b-aaeeaa87c872", "58d72d9d-0310-4792-9a3b-6dd111093cdb", "0876ef51-fee7-449d-ba1e-f2662c7e43c6", "1be22853-8ed1-4005-9907-ddad64cb1417", "b1af52e4-e968-4e2b-b6d0-6736c9651f0a", "6ac66a74-761f-4a59-928a-d373eea3f028", "f0fb2a7e-16d5-849f-be57-86db712e9bd0", "aae10e53-8403-3576-5d97-3b00f97332b2", "e599a9fe-30e3-47c6-a173-8b4b6d9d3255" ] }, "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_Config_MDC_Defender_Plans", "DisplayName": "Enable all Azure Defender plans in Microsoft Defender for Cloud", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "Rationale": "Azure Defender enables advanced threat detection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.", "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "VirtualMachines", "DisplayName": "Servers" }, { "Type": "SqlServers", "DisplayName": "Azure SQL Databases" }, { "Type": "AppServices", "DisplayName": "App Service" }, { "Type": "StorageAccounts", "DisplayName": "Storage" }, { "Type": "KeyVaults", "DisplayName": "Key Vault" }, { "Type": "SqlServerVirtualMachines", "DisplayName": "SQL servers on machines" }, { "Type": "Arm", "DisplayName": "Resource Manager" }, { "Type": "Containers", "DisplayName": "Containers" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Wave3", "SN:Defender" ] }, { "ControlID": "Azure_Subscription_Config_MDC_Defender_Plans_MCSB", "Description": "[MCSB] Enable all Azure Defender plans in Microsoft Defender for Cloud", "Id": "SubscriptionCore570", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentEvaluationType": "All", "AssessmentNames": [ "56a6e81f-7413-4f72-9a1b-aaeeaa87c872", "58d72d9d-0310-4792-9a3b-6dd111093cdb", "0876ef51-fee7-449d-ba1e-f2662c7e43c6", "1be22853-8ed1-4005-9907-ddad64cb1417", "b1af52e4-e968-4e2b-b6d0-6736c9651f0a", "6ac66a74-761f-4a59-928a-d373eea3f028", "f0fb2a7e-16d5-849f-be57-86db712e9bd0", "aae10e53-8403-3576-5d97-3b00f97332b2", "e599a9fe-30e3-47c6-a173-8b4b6d9d3255" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_Config_MDC_Defender_Plans", "DisplayName": "[MCSB] Enable all Azure Defender plans in Microsoft Defender for Cloud", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "Rationale": "Azure Defender enables advanced threat detection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.", "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "VirtualMachines", "DisplayName": "Servers" }, { "Type": "SqlServers", "DisplayName": "Azure SQL Databases" }, { "Type": "AppServices", "DisplayName": "App Service" }, { "Type": "StorageAccounts", "DisplayName": "Storage" }, { "Type": "KeyVaults", "DisplayName": "Key Vault" }, { "Type": "SqlServerVirtualMachines", "DisplayName": "SQL servers on machines" }, { "Type": "Arm", "DisplayName": "Resource Manager" }, { "Type": "Dns", "DisplayName": "DNS" }, { "Type": "Containers", "DisplayName": "Containers" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_MDC_Security_Policy", "Description": "Microsoft Defender for Cloud (MDC) policies must be correctly configured on the subscription.", "Id": "SubscriptionCore330", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecurityPolicy", "DisplayName": "Microsoft Defender for Cloud (MDC) policies must be correctly configured on the subscription.", "Category": "", "ControlRequirements": "", "Recommendation": "Run command 'Set-AzSKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>'. Run 'Get-Help Set-AzSKAzureSecurityCenterPolicies -full' for more help. You can also manage your policy settings from azure portal https://portal.azure.com for more details, visit https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy ", "Tags": [ "SDL", "TCP", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": false, "Rationale": "MDC security policies define the desired configuration of your workloads and helps ensure you're complying with the security requirements of your company or regulators. It provides key policy settings (e.g., is patching configured for VMs?, is threat detection enabled for SQL?, etc.) and alerts about resources which are not compliant to those policy settings. Correctly configuring MDC is critical as it gives a baseline layer of protection for the subscription and commonly used resource types.", "ControlSettings": { "MDCPolicyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "MDCPoliciesDesiredEffects": { "systemUpdatesMonitoringEffect": "AuditIfNotExists", "systemConfigurationsMonitoringEffect": "AuditIfNotExists", "endpointProtectionMonitoringEffect": "AuditIfNotExists", "sqlEncryptionMonitoringEffect": "AuditIfNotExists", "apiAppDisableRemoteDebuggingMonitoringEffect": "AuditIfNotExists", "functionAppDisableRemoteDebuggingMonitoringEffect": "AuditIfNotExists", "webAppDisableRemoteDebuggingMonitoringEffect": "AuditIfNotExists", "apiAppEnforceHttpsMonitoringEffect": "AuditIfNotExists", "functionAppEnforceHttpsMonitoringEffect": "AuditIfNotExists", "webAppEnforceHttpsMonitoringEffect": "AuditIfNotExists", "aadAuthenticationInServiceFabricMonitoringEffect": "Audit", "clusterProtectionLevelInServiceFabricMonitoringEffect": "Audit", "sqlServerAdvancedDataSecurityMonitoringEffect": "AuditIfNotExists", "aadAuthenticationInSqlServerMonitoringEffect": "AuditIfNotExists", "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": "Audit", "secureTransferToStorageAccountMonitoringEffect": "Audit", "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": "AuditIfNotExists", "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": "AuditIfNotExists", "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": "AuditIfNotExists", "identityRemoveDeprecatedAccountMonitoringEffect": "AuditIfNotExists", "classicStorageAccountsMonitoringEffect": "Audit", "classicComputeVMsMonitoringEffect": "Audit", "diskEncryptionMonitoringEffect": "AuditIfNotExists", "vulnerabilityAssesmentMonitoringEffect": "AuditIfNotExists", "vmssOsVulnerabilitiesMonitoringEffect": "AuditIfNotExists", "vmssEndpointProtectionMonitoringEffect": "AuditIfNotExists", "vmssSystemUpdatesMonitoringEffect": "AuditIfNotExists", "sqlDbVulnerabilityAssesmentMonitoringEffect": "AuditIfNotExists", "vnetEnableDDoSProtectionMonitoringEffect": "AuditIfNotExists", "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": "AuditIfNotExists", "identityEnableMFAForOwnerPermissionsMonitoringEffect": "AuditIfNotExists", "identityEnableMFAForWritePermissionsMonitoringEffect": "AuditIfNotExists", "identityEnableMFAForReadPermissionsMonitoringEffect": "AuditIfNotExists", "diagnosticsLogsInRedisCacheMonitoringEffect": "Audit" } }, "CustomTags": [ "SOX" ] }, { "ControlID": "Azure_Subscription_Config_MDC_Enable_AutoProvisioning", "Description": "Auto Provisioning must be set to ON in Microsoft Defender for Cloud.", "Id": "SubscriptionCore340", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAutoProvisioningForSecurity", "DisplayName": "Turn on Microsoft Monitoring Agent (MMA) to enable Security Monitoring", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "For setting AutoProvisioning settings for your subscription, go to azure portal https://portal.azure.com. On the portal go to -->Security center - Pricing & Settings-->Select your subscription-->Settings - Data Collection, you can also run command 'Set-AzSKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>'' for setting up AutoProvisioning settings ", "Tags": [ "SDL", "TCP", "Automated", "Config", "SubscriptionCore", "Baseline", "Weekly", "CSEOPilotP1", "CSEOPilotSub" ], "Enabled": true, "DataObjectProperties": [ "id", "properties.logCollection", "properties.recommendations", "properties.securityContactConfiguration.areNotificationsOn", "properties.securityContactConfiguration.securityContactEmails", "properties.securityContactConfiguration.securityContactPhone", "properties.securityContactConfiguration.sendToAdminOn" ], "FixControl": { "FixMethodName": "ConfigureSecurityCenter", "FixControlImpact": "Medium" }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterAutoProvision" ] }, "Rationale": "MDC monitors various security parameters on a VM such as missing updates, OS security settings, endpoint protection status, and health and threat detections, etc using a monitoring agent. This agent needs to be provisioned and running on VMs for the monitoring work. When automatic provisioning is ON, MDC provisions the Microsoft Monitoring Agent (MMA) on all supported Azure VMs and any new ones that are created.", "CustomTags": [ "SOX", "SN:MMA" ] }, { "ControlID": "Azure_Subscription_Config_MDC_Setup_SecurityContacts", "Description": "Configure security contacts and alerts of medium severity or higher on your subscription.", "Id": "SubscriptionCore350", "DisplayName": "Configure security contacts and alerts of medium severity or higher on your subscription", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecurityContactDetails", "Recommendation": "Go to Azure Portal -> Microsoft Defender for Cloud -> Environment settings -> Select your subscription -> Go to 'Email notifications' -> a. In the 'Email recipients', Select 'Owner' and 'Service Admin' as email recipients and specify at least one email recipient. b. In the 'Notification types', Select the check box to notify about alerts and select the alert severity to 'Medium' or 'Low' -> Save.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "SecurityContacts": { "AlertNotificationState": "On", "AlertNotificationSeverities": [ "Medium", "Low" ], "NotificationsRecipientsState": "On", "NotificationsRecipientsRoleName": [ "Owner", "ServiceAdmin" ] } }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterContacts" ] }, "Rationale": "Security contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your customer data has been accessed by an unlawful or unauthorized party.", "CustomTags": [ "SOX", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "Wave7", "EDPreview", "SMTPreview", "SN:Subscription_SecurityContacts" ] }, { "ControlID": "Azure_Subscription_SI_No_Billing_Activity", "Description": "Subscriptions with no billing activity and resources for over 90 days must be deleted.", "Id": "SubscriptionCore380", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckSubsBillingActivity", "DisplayName": "Subscriptions with no billing activity and resources must be deleted", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "To cancel subscription in the Azure portal, 1. Select your subscription from the Subscriptions page in the Azure portal. 2. Select the subscription that you want to cancel. 3. Select Overview, and then select Cancel subscription. 4. Follow prompts and finish cancellation. For detailed instructions, refer: https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/cancel-azure-subscription.", "Tags": [ "SDL", "TCP", "SI", "Automated", "SubscriptionCore", "Baseline", "Daily" ], "Enabled": true, "Rationale": "Cleaning up unused subscriptions is suggested as a good hygiene practice.", "CustomTags": [ "Wave1", "ActiveBaseline", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:AzSub_NotUsed_Deleted" ], "ControlSettings": { "MinReqdBillingPeriodInDays": 90, "GracePeriodForDisabledSubsInDays": 0 } }, { "ControlID": "Azure_Subscription_AuthZ_Limit_Admin_Owner_Count", "Description": "Minimize the number of admins/owners", "Id": "SubscriptionCore110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSubscriptionAdminOwnerCount", "DisplayName": "Minimize the number of admins/owners", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "There are 2 steps involved. (1) You need to remove any 'Classic Administrators/Co-Administrators' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' (e) Select the co-administrator account that has to be removed and click on the 'Remove' button. (f) Perform this operation for all the co-administrators that need to be removed from the subscription. (2) You need to remove any unwanted members from the Owners group. To do this simply run the command 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "ExcludeUsers": [ ], "NoOfAdminOrOwnerLimit": 5, "EligibleAdminOrOwnerRoles": [ "CoAdministrator", "ServiceAdministrator", "owner" ] }, "Enabled": true, "Rationale": "Each additional person in the admin/owner role increases the attack surface for the entire subscription. The number of members in these roles should be kept to as low as possible.", "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_Subscription_SI_Dont_Use_B2C_Tenant", "Description": "Do not use any Azure Active Directory B2C tenant in a subscription", "Id": "SubscriptionCore410", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfAADB2CTenant", "Recommendation": "Refer: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/tutorial-delete-tenant.md to delete the Azure B2C tenant and unregister the 'Microsoft.AzureActiveDirectory' resource provider in the subscription. Refer to https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types for more information on resource providers.", "Tags": [ "SDL", "Best Practice", "Automated", "Baseline", "SI", "SubscriptionCore" ], "DisplayName": "Remove Azure Active Directory B2C tenant(s) in a subscription", "Enabled": true, "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "This Service depends mainly on 3rd party identity provider, and that can cause authenticity attacks. Closing unnecessary or high-risk Azure B2C usage will reduce the attack surface, reduce risk to the enterprise and protect against identity attacks.", "ControlSettings": { "ResourceTypeName": "Microsoft.AzureActiveDirectory/b2cDirectories" }, "CustomTags": [ "SN:Azure_B2C", "Weekly" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_SPNs_NonAD_Identities_Privileged_Roles", "Description": "Do not grant privileged roles at the subscription level to external accounts and service principal names (SPNs)", "Id": "SubscriptionCore420", "DisplayName": "Do not grant privileged roles at the subscription level to external accounts and service principal names (SPNs)", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckSPNsAndNonAADIdentitiesRBAC", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "If these SPNs or External accounts need access to your subscription, make sure you add them at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might be sufficient. In other scenarios you may need 'Reader' access at 'Subscription' scope. Exact permission will vary based on your use case. If you want to remove the SPN or External account, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "CriticalRoles": [ "Owner", "Contributor", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": false, "Rationale": "Non-AD accounts (such as xyz@contoso.com, pqr@outlook.com, etc.) are not managed to the same standards as native enterprise tenant identities. They might not have multi-factor authentication enabled. Similarly, SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. Also, SPNs and Managed Identities can't be granted Just-In-Time access. As a result, adding SPNs or External account to a Subscription with privileged roles is risky.", "CustomTags": [ "Trial", "Daily" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_SPNs_Privileged_Roles", "Description": "Service Principals must follow Least privilege principle for role assignments to Subscriptions", "Id": "SubscriptionCore460", "DisplayName": "Service Principals must follow Least privilege principle for role assignments to Subscriptions", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckSPNsRBAC", "ControlScanSource": "Reader", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "If these SPNs need access to your subscription, make sure you add them at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might be sufficient. In other scenarios you may need 'Reader' access at 'Subscription' scope. Exact permission will vary based on your use case. If you want to remove the SPN, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily" ], "ControlSettings": { "CriticalRoles": [ "Owner", "Contributor", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": true, "Rationale": "SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. Also, SPNs and Managed Identities can't be granted Just-In-Time access. As a result, adding SPNs to a Subscription with privileged roles is risky.", "CustomTags": [ "Preview", "TenantBaseline", "MSD", "TBv7", "CAIPreview", "EDPreview", "SMTPreview", "SN:SPN_AvoidPrivilegedRoles" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_SPNs_NonAD_Identities_Privileged_Roles_RG", "Description": "Do not grant privileged roles at the Resource Group level to external accounts and service principal names (SPNs)", "Id": "SubscriptionCore430", "DisplayName": "Do not grant privileged roles at the Resource Group level to external accounts and service principal names (SPNs)", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckSPNsAndNonAADIdentitiesRGRBAC", "Recommendation": "If these SPNs or External accounts need access to your RG, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Resource Group' scope. Exact permission will vary based on your use case. If you want to remove the SPN or External account, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "CriticalRoles": [ "Owner", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": false, "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Non-AD accounts (such as xyz@contoso.com, pqr@outlook.com, etc.) are not managed to the same standards as native enterprise tenant identities. They might not have multi-factor authentication enabled. Similarly, SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. Also, SPNs and Managed Identities can't be granted Just-In-Time access. As a result, adding SPNs or External account to a Resource group with privileged roles is risky.", "CustomTags": [ "Trial", "Daily" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_SPNs_Privileged_Roles_RG", "Description": "Service Principals must follow Least privilege principle for role assignments to Resource Groups", "Id": "SubscriptionCore480", "DisplayName": "Service Principals must follow Least privilege principle for role assignments to Resource Groups", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckSPNsRGRBAC", "ControlScanSource": "Reader", "Recommendation": "If these SPNs need access to your RG, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Resource Group' scope. Exact permission will vary based on your use case. If you want to remove the SPN, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily" ], "ControlSettings": { "CriticalRoles": [ "Owner", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": true, "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. Also, SPNs and Managed Identities can't be granted Just-In-Time access. As a result, adding SPNs to a Resource group with privileged roles is risky.", "CustomTags": [ "Preview", "TenantBaseline", "MSD", "TBv7", "CAIPreview", "EDPreview", "SMTPreview", "SN:SPN_AvoidPrivilegedRoles_RG" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_NonAD_Identities_Privileged_Roles_RG", "Description": "Do not grant privileged roles at the Resource Group level to external accounts", "Id": "SubscriptionCore490", "DisplayName": "Do not grant privileged roles at the Resource Group level to external accounts", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckNonAADIdentitiesRGRBACTrial", "ControlScanSource": "Reader", "Recommendation": "If these External accounts need access to your RG, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Resource Group' scope. Exact permission will vary based on your use case. If you want to remove External account, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "CriticalRoles": [ "Owner", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": true, "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Non-AD accounts (such as xyz@contoso.com, pqr@outlook.com, etc.) are not managed to the same standards as native enterprise tenant identities. They might not have multi-factor authentication enabled. As a result, adding External account to a Resource group with privileged roles is risky.", "CustomTags": [ "Weekly", "SN:NonAD_RGPrivRole" ] }, { "ControlID": "Azure_Subscription_DP_Avoid_Plaintext_Secrets_Tags", "Description": "Tags for resources in a subscription must not have secrets/credentials present in plain text", "Id": "SubscriptionCore440", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "SubscriptionResourceTagsAvoidPlaintextSecretsAsync", "DisplayName": "Tags for resources in a subscription must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials at tags of the particular resource using the information provided in the UI, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily" ], "CustomTags": [ "Wave9", "TenantBaseline", "Prod", "CAIPreview", "EDPreview", "SMTPreview", "CAIWave1", "Secrets" ], "Enabled": true }, { "ControlID": "Azure_Subscription_DP_Avoid_Plaintext_Secrets_Deployments", "Description": "Deployments in a subscription must not have secrets/credentials present in plain text", "Id": "SubscriptionCore450", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "SubscriptionDeploymentsAvoidPlaintextSecretsAsync", "DisplayName": "Deployments in a subscription must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials at the inputs/outputs section of the deployment of the particular subscription/resource group using the information provided in the UI, rotate those credentials and delete the deployment (Please note that deleting a succeeded deployment does not delete the resources deployed as part of that deployment). Use KeyVault to store secrets/credentials. Templates for deployments also provides a secure way of passing secrets using the 'SecureString' type of parameters. The SecureString type helps us mask secrets that are part of input parameters.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily" ], "CustomTags": [ "Wave9", "TenantBaseline", "CAIPreview", "EDPreview", "SMTPreview", "Prod", "CAIWave1", "Secrets" ], "Enabled": true, "ControlSettings": { "AzurePortalURI": "https://portal.azure.com/#resource" } }, { "ControlID": "Azure_Subscription_SI_Follow_ManagementGroup_Hierarchy", "Description": "Subscription should be part of descendant Management Group and not root MG", "Id": "SubscriptionCore500", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckParentMG", "Recommendation": "Add subscription to Management Group as per organizational guidance.", "DisplayName": "Follow Management Group Hierarchy for subscription", "Category": "Monitoring must be correctly configured", "ControlRequirements": "As per prescribed organizational guidance, subscription should be part of relevant Managment Group and not part of root Management Group directly.", "ControlEvaluationDetails": { "RequiredProperties": [ "SubMGHierarchy" ] }, "Tags": [ "Automated", "SubscriptionCore", "Baseline" ], "Enabled": false, "Rationale": "Subscriptions should follow Management Group hierarchy.This would help in driving compliance by assingning policies at Management Group level.", "CustomTags": [ "Daily" ] }, { "ControlID": "Azure_Subscription_Identity_Rotate_SPN_Credentials", "Description": "App registration and service principal credentials must be rotated on a periodic basis", "Id": "SubscriptionCore900", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "SubscriptionSPNExpiredCredentials", "DisplayName": "App registration and service principal credentials must be rotated on a periodic basis", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access keys must be rotated periodically to mitigate the risks arising due to key compromise to ensure the continued protection of sensitive data", "Rationale": "SPNs having access to subscription must have secrets and certificates within maximum approved expiry time.", "Recommendation": "Rotate/Delete expired SPN secrets and certificates.", "ControlSettings": { "ExpirationPeriodInDays": 380, "ServicePrincipalTypeFilter": [ "Application", "Legacy" ], "AllowedObjectIds": [] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SubRBACServicePrincipalsInv", "SubRBACAppRegistrationsInv", "SubRBACAADEnrichment" ] }, "Tags": [ "AuthZ", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "SN:Rotate_SPN_Credentials", "TenantBaseline", "TBv13" ] }, { "ControlID": "Azure_Subscription_AuthZ_Expired_SPN_Certificates", "Description": "SPNs having access to subscription must not have expired certificates", "Id": "SubscriptionCore610", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "SubscriptionSPNExpiredCertificates", "DisplayName": "SPNs having access to subscription must not have expired certificates", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "SPNs having access to subscription must not have expired certificates.", "Recommendation": "Rotate/Delete expired SPN certificates.", "ControlSettings": { "ServicePrincipalTypeFilter": [ "Application" ], "AllowedObjectIds": [] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SubRBACServicePrincipalsInv", "SubRBACAppRegistrationsInv", "SubRBACAADEnrichment" ] }, "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_Subscription_AuthZ_SPN_Privileged_Scope_Trial", "Description": "[Trial] SPNs in a subscription with access at subscription/resource group level must have atleast two FTE owners.", "Id": "SubscriptionCore620", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "SubscriptionSPNCriticalAccess", "DisplayName": "[Trial] SPNs in a subscription with access at subscription/resource group level must have atleast two FTE owners.", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "SPNs in a subscription with access at subscription/resource group level must have atleast two FTE owners.", "Recommendation": "Add atleast two FTE owners or remove SPN's subscription/resource group level access.", "ControlSettings": { "ServicePrincipalTypeFilter": [ "Application" ], "RBACFilters": [ { "ScopeRegex": "^\/subscriptions\/[^/]+$", "PermissionRegex": ".+" }, { "ScopeRegex": "^\/subscriptions\/[^/]+\/resourcegroups\/[^/]+$", "PermissionRegex": ".+" } ], "FTEOwnerCount": 2, "FTEExtensionAttribute2": 50, "AllowedObjectIds": [] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SubRBACServicePrincipalsInv", "SubRBACAppRegistrationsInv", "SubRBACAADEnrichment" ] }, "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "Trial" ] }, { "ControlID": "Azure_Subscription_AuthZ_SPN_Privileged_Role_Trial", "Description": "[Trial] SPNs in a subscription with access at subscription/resource group level with privileged role must have exactly two FTE owners.", "Id": "SubscriptionCore630", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "SubscriptionSPNCriticalRole", "DisplayName": "[Trial] SPNs in a subscription with access at subscription/resource group level with privileged role must have exactly two FTE owners.", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "SPNs in a subscription with access at subscription/resource group level with privileged role must have exactly two FTE owners.", "Recommendation": "Add exactly two FTE owners or remove SPN's subscription/resource group level privileged access.", "ControlSettings": { "ServicePrincipalTypeFilter": [ "Application" ], "RBACFilters": [ { "ScopeRegex": "^\/subscriptions\/[^/]+$", "PermissionRegex": "^(owner|user access administrator|contributor)$" }, { "ScopeRegex": "^\/subscriptions\/[^/]+\/resourcegroups\/[^/]+$", "PermissionRegex": "^(owner|user access administrator)$" } ], "FTEOwnerCount": 2, "NonFTEOwnerCount": 0, "FTEExtensionAttribute2": 50, "AllowedObjectIds": [] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SubRBACServicePrincipalsInv", "SubRBACAppRegistrationsInv", "SubRBACAADEnrichment" ] }, "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "Trial" ] }, { "ControlID": "Azure_Subscription_Config_Enable_LogAnalyticsAgent_AutoProvisioning_MCSB", "Description": "[MCSB] Auto provisioning of the Log Analytics agent must be enabled on subscriptions", "Id": "SubscriptionCore640", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Auto provisioning of the Log Analytics agent must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes", "Rationale": "To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. Its recommended to enable auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", "Recommendation": "To configure auto provisioning: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> Open the 'Auto provisioning' page and set the toggle to 'On' for the Log Analytics agent --> Select the workspace to receive the data from the machines. For more details visit https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation ", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "af849052-4299-0692-acc0-bffcbe9e440c" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_AppService_MCSB", "Description": "[MCSB] Microsoft Defender for App Service must be enabled on subscriptions", "Id": "SubscriptionCore650", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for App Service must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.", "Recommendation": "To enable this plan on all App Service plans in a subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'App Service' to 'On'", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "0876ef51-fee7-449d-ba1e-f2662c7e43c6" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_SQLDBServer_MCSB", "Description": "[MCSB] Microsoft Defender for Azure SQL Database servers must be enabled on subscriptions", "Id": "SubscriptionCore660", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for Azure SQL Database servers must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.", "Recommendation": "To enable this plan on all Azure SQL Database servers in a subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Azure SQL Database servers' to 'On'", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "58d72d9d-0310-4792-9a3b-6dd111093cdb" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_Container_MCSB", "Description": "[MCSB] Microsoft Defender for Containers must be enabled on subscriptions", "Id": "SubscriptionCore670", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for Containers must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. You can use this information to quickly remediate security issues and improve the security of your containers.", "Recommendation": "To enable this plan on all Kubernetes clusters in a subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Containers' to 'On'", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "e599a9fe-30e3-47c6-a173-8b4b6d9d3255" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_DNS_MCSB", "Description": "[MCSB] Microsoft Defender for DNS must be enabled on subscriptions", "Id": "SubscriptionCore680", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for DNS must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Defender for DNS alerts you about suspicious activity at the DNS layer.", "Recommendation": "To enable Microsoft Defender for DNS on your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'DNS' to 'On'", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "aae10e53-8403-3576-5d97-3b00f97332b2" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_KeyVault_MCSB", "Description": "[MCSB] Microsoft Defender for Key Vault must be enabled on subscriptions", "Id": "SubscriptionCore690", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for Key Vault must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence. Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.", "Recommendation": "To enable Microsoft Defender for Key Vault on all key vaults in a subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Key Vault' to 'On'", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "b1af52e4-e968-4e2b-b6d0-6736c9651f0a" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_ResourceManager_MCSB", "Description": "[MCSB] Microsoft Defender for Resource Manager must be enabled on subscriptions", "Id": "SubscriptionCore700", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for Resource Manager must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity.", "Recommendation": "To enable Microsoft Defender for Resource Manager on your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Resource Manager' to 'On'", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "f0fb2a7e-16d5-849f-be57-86db712e9bd0" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_OpenSourceRelationalDB_MCSB", "Description": "[MCSB] Microsoft Defender for open-source relational databases must be enabled on subscriptions", "Id": "SubscriptionCore710", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for open-source relational databases must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", "Recommendation": "To enable Microsoft Defender for open-source relational databases on your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Open-source relational databases' to 'On'", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "b6a28450-dd5d-4ba4-8806-245e20ef6632" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_Servers_MCSB", "Description": "[MCSB] Microsoft Defender for servers must be enabled on subscriptions", "Id": "SubscriptionCore720", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for servers must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.", "Recommendation": "To enable this plan on all servers in a subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription. In the 'Defender plans' page, set 'Servers' to 'On'.", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "56a6e81f-7413-4f72-9a1b-aaeeaa87c872" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_Storage_MCSB", "Description": "[MCSB] Microsoft Defender for Storage must be enabled on subscriptions", "Id": "SubscriptionCore730", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for Storage must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.", "Recommendation": "To enable this plan on all Azure Storage accounts in a subscription:From Defender for Cloud's 'Environment settings' page, select the relevant subscription. In the 'Defender plans' page, set 'Storage' to 'On'.", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "1be22853-8ed1-4005-9907-ddad64cb1417" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_SQLServerOnMachines_MCSB", "Description": "[MCSB] Microsoft Defender for SQL servers on machines must be enabled on subscriptions", "Id": "SubscriptionCore740", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for SQL servers on machines must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.", "Recommendation": "To enable this plan on all SQL servers on machines in a subscription: 1. From Defender for Cloud's 'Environment settings' page, select the relevant subscription. 2. In the 'Defender plans' page, set 'SQL servers on machines' to 'On'.", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "6ac66a74-761f-4a59-928a-d373eea3f028" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_MicrosoftDefender_Setup_SecurityContacts_MCSB", "Description": "[MCSB] Subscriptions should have a contact email address for security issues", "Id": "SubscriptionCore750", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Subscriptions should have a contact email address for security issues", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Defender for Cloud.", "Recommendation": "To set up a security contact: 1. From Defender for Cloud's 'Environment settings' page, select the relevant subscription. 2. In the 'Email notifications' page, select the recipients and notification types. 3. Select 'Save'.", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "77758c9d-8a56-5f54-6ff7-69a762ca6004" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Add_Minimum_Two_Owners_MCSB", "Description": "[MCSB] There should be more than one owner assigned to subscriptions", "Id": "SubscriptionCore760", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] There should be more than one owner assigned to subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Designate more than one subscription owner in order to have administrator access redundancy.", "Recommendation": "To add another account with owner permissions to your subscription: Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane. If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Select 'Save'.", "Tags": [ "SDL", "Automated", "Baseline", "Config", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "2c79b4af-f830-b61e-92b9-63dfa30f16e4" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthZ_SPN_Owners_Governance", "Description": "App Registrations and Service Principals must have at least two FTEs (Full Time Employees) as Owners.", "Id": "SubscriptionCore770", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSubscriptionSPNOwnerAccountType", "DisplayName": "App Registrations and Service Principals must have at least two FTEs (Full Time Employees) as Owners.", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "SPNs in a subscription with access at subscription or resource group level should not have access to any External Users.", "Recommendation": "Add at least two FTE (Full Time Employee) owners or remove SPN's subscription/resource group level access.", "ControlSettings": { "ServicePrincipalTypeFilter": [ "Application", "Legacy" ], "RBACFilters": [ { "ScopeRegex": "^\/subscriptions\/[^/]+$", "PermissionRegex": ".+" }, { "ScopeRegex": "^\/subscriptions\/[^/]+\/resourcegroups\/[^/]+$", "PermissionRegex": ".+" } ], "SasAltAccount": { "SasAltRegex": "@sas.ms" }, "FTEOwnerWithAltAccountCount": 0, "FTEOwnerWithoutAltAccountCount": 2, "NonFTEOwnerCount": 0, "SCAltAccountAttributeKey": "extensionAttribute2", "SCAltAccountAttributeValue": -10, "FTEExtensionAttribute2Key": "extensionAttribute2", "FTEExtensionAttribute2Value": 50, "ExternallyFTEMappingKey": "", "ExternallyFTEMappingValue": "", "IsExternalTenantSetup": true, "AllowedObjectIds": [], "ExcludedAppOwnerTenantIds": [ "f8cdef31-a31e-4b4a-93e4-5f571e91255a" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SubRBACServicePrincipalsInv", "SubRBACAppRegistrationsInv", "SubRBACAADEnrichment" ] }, "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "Preview", "TenantBaseline", "MSD", "TBv9", "CAIPreview", "EDPreview", "SMTPreview", "SN:SPN_Owners_Governance" ] }, { "ControlID": "Azure_Subscription_AuthN_Enable_MFA_On_Write_Accounts_MCSB", "Description": "[MCSB] MFA must be enabled for accounts with write permissions on your subscription", "Id": "SubscriptionCore800", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] MFA must be enabled for accounts with write permissions on your subscription", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Multi-Factor Authentication (MFA) must be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.", "Recommendation": "Refer: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa", "Tags": [ "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "57e98606-6b1e-6193-0e3d-fe621387c16b" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthN_Enable_MFA_On_Owner_Accounts_MCSB", "Description": "[MCSB] MFA must be enabled on accounts with owner permissions on your subscription", "Id": "SubscriptionCore810", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] MFA must be enabled on accounts with owner permissions on your subscription", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Multi-Factor Authentication (MFA) must be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.", "Recommendation": "Refer: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa", "Tags": [ "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "94290b00-4d0c-d7b4-7cea-064a9554e681" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthN_Enable_MFA_On_Read_Accounts_MCSB", "Description": "[MCSB] MFA must be enabled on accounts with read permissions on your subscription", "Id": "SubscriptionCore820", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] MFA must be enabled on accounts with read permissions on your subscription", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Multi-Factor Authentication (MFA) must be enabled for all subscription accounts with read permissions to prevent a breach of accounts or resources.", "Recommendation": "Refer : https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa", "Tags": [ "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "151e82c5-5341-a74b-1eb0-bc38d2c84bb5" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthZ_Limit_Admin_Owner_Count_MCSB", "Description": "[MCSB] A maximum of 3 owners should be designated for your subscription", "Id": "SubscriptionCore830", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] A maximum of 3 owners should be designated for your subscription", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Each additional person in the admin/owner role increases the attack surface for the entire subscription. The number of members in these roles should be kept to as low as possible.", "Recommendation": "Steps to remove role assignments are: a. To remove permanent role assignment use command 'Remove-AzRoleAssignment' or refer link, https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove#azure-portal b. To remove PIM role assignments, refer link https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user?tabs=new#update-or-remove-an-existing-role-assignment.", "Tags": [ "SDL", "Automated", "Baseline", "AuthZ", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "6f90a6d6-d4d6-0794-0ec1-98fa77878c2e" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Deprecated_Owner_Accounts_MCSB", "Description": "[MCSB] Deprecated accounts with owner permissions should be removed from your subscription", "Id": "SubscriptionCore840", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Deprecated accounts with owner permissions should be removed from your subscription", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Deprecated accounts are ones that were once deployed to your subscription for some trial/pilot initiative (or some other purpose). These are not required any more and are a standing risk if present in any role on the subscription.", "Recommendation": "Steps to remove role assignments of deprecated/invalid accounts are: a. To remove permanent role assignment use command 'Remove-AzRoleAssignment' or refer link, https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove#azure-portal b. To remove classic role assignments, refer link: https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#remove-a-co-administrator c. To remove PIM role assignments, refer link https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user?tabs=new#update-or-remove-an-existing-role-assignment.", "Tags": [ "SDL", "Automated", "Baseline", "AuthZ", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "e52064aa-6853-e252-a11e-dffc675689c2" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthZ_Remove_NonAD_Owner_Accounts_MCSB", "Description": "[MCSB] External accounts with owner permissions should be removed from your subscription", "Id": "SubscriptionCore850", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] External accounts with owner permissions should be removed from your subscription", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a subscription subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled. Etc.", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "c3b6ae71-f1f0-31b4-e6c1-d5951285d03d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthZ_Remove_NonAD_Read_Accounts_MCSB", "Description": "[MCSB] External accounts with read permissions should be removed from your subscription", "Id": "SubscriptionCore860", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] External accounts with read permissions should be removed from your subscription", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a subscription subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled. Etc.", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Deprecated_Accounts_MCSB", "Description": "[MCSB] Deprecated accounts should be removed from your subscription", "Id": "SubscriptionCore870", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Deprecated accounts should be removed from your subscription", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Deprecated accounts are ones that were once deployed to your subscription for some trial/pilot initiative (or some other purpose). These are not required any more and are a standing risk if present in any role on the subscription.", "Recommendation": "Steps to remove role assignments of deprecated/invalid accounts are: a. To remove permanent role assignment use command 'Remove-AzRoleAssignment' or refer link, https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove#azure-portal b. To remove classic role assignments, refer link: https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#remove-a-co-administrator c. To remove PIM role assignments, refer link https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user?tabs=new#update-or-remove-an-existing-role-assignment.", "Tags": [ "SDL", "Automated", "Baseline", "AuthZ", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "00c6d40b-e990-6acf-d4f3-471e747a27c4" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Ext_Accounts_Permissions_MCSB", "Description": "[MCSB] External accounts with write permissions should be removed from your subscription", "Id": "SubscriptionCore880", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] External accounts with write permissions should be removed from your subscription", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "External accounts with write privileges should be removed from subscriptions in order to prevent unmonitored access.", "Recommendation": "To remove external account with owner permissions from a subscription, go to Azure Portal --> Subscriptions --> select Subscription --> click on Access control (IAM) section --> select 'Role Assignments' to open the role assignment pane --> In the 'Role' drop-down list, select the user and role you want to remove --> Select 'Save'. Refer: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove#azure-portal", "Tags": [ "AuthZ", "Baseline", "SubscriptionCore" ], "AssessmentProperties": { "AssessmentNames": [ "04e7147b-0deb-9796-2e5c-0336343ceb3d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_SPNs_With_Password", "Description": "Do not use SPNs with password credentials to access subscriptions or resource groups in Azure", "Id": "SubscriptionCore890", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ValidateSubscriptionSPNPasswordCredentials", "DisplayName": "Do not use SPNs with password credentials to access subscriptions or resource groups in Azure", "Category": "Credentials Access", "ControlRequirements": "Eliminating password credentials", "Rationale": "The purpose of the security control is to prevent the creation of Service Principal identities with secrets associated with them at the subscription or resource group level. This is because secrets, which are often simple string values, can be easily compromised and used by threat actors to gain access to the system. When these secrets are stored in config files, hardcoded in scripts, or saved by an administrator, there is a high risk that they can be exposed or leaked, which can allow an attacker to use the permissions granted to the Service Principal to attack the system. In addition, the Enterprise Application blade of Azure AD creates Service Principals that can hold credentials that are not visible through the Azure portal, which presents an even greater risk of exposure. This lack of visibility carries a high risk that these credentials can be exploited for malicious purposes, which can cause significant harm to the system. Therefore, the position being taken is to block the creation of Service Principal identities with secrets associated with them, to avoid the risk of these credentials being compromised and used for nefarious purposes.", "Recommendation": "To read about removing the secret from SPN, Please visit https://github.com/microsoftgraph/microsoft-graph-docs/blob/main/api-reference/v1.0/api/serviceprincipal-removepassword.md.", "ControlSettings": { "ServicePrincipalTypeFilter": [ "Application", "Legacy" ], "RBACFilters": [ { "ScopeRegex": "^\/subscriptions\/[^/]+$", "PermissionRegex": ".+" }, { "ScopeRegex": "^\/subscriptions\/[^/]+\/resourcegroups\/[^/]+$", "PermissionRegex": ".+" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SubRBACServicePrincipalsInv", "SubRBACAppRegistrationsInv", "SubRBACAADEnrichment" ] }, "Tags": [ "SubscriptionCore", "Automated", "AuthZ", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "CAIPreview", "EDPreview", "SMTPreview", "SN:SPN_RemovePwdCredentials" ] }, { "ControlID": "Azure_Subscription_SI_Enable_Owner_Email_Notifications_MCSB", "Description": "[MCSB] Email notification to subscription owner for high severity alerts must be enabled", "Id": "SubscriptionCore910", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Email notification to subscription owner for high severity alerts must be enabled", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.", "Recommendation": "To enable Email notifications to subscription owner please refer: https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications", "Tags": [ "SI", "Baseline", "SubscriptionCore", "Automated" ], "AssessmentProperties": { "AssessmentNames": [ "9f97e78d-88ee-a48d-abe2-5ef12954e7ea" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_SI_Enable_Email_Notifications_MCSB", "Description": "[MCSB] Email notification for high severity alerts must be enabled", "Id": "SubscriptionCore920", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Email notification for high severity alerts must be enabled", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.", "Recommendation": "To enable Email notifications to subscription please refer: https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications", "Tags": [ "SI", "Baseline", "SubscriptionCore", "Automated" ], "AssessmentProperties": { "AssessmentNames": [ "3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Subscription_Config_Defender_DNS_KR51", "Description": "[KR51] Microsoft Defender for DNS must be enabled on subscriptions.", "Id": "SubscriptionCore940", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Microsoft Defender for DNS must be enabled on subscriptions.", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure Defender enables advanced threat detection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_Config_MDC_Defender_Plans", "Tags": [ "Baseline", "Automated", "AuthZ", "SubscriptionCore" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_Subscription_Config_Defender_KeyVault_KR51", "Description": "[KR51] Microsoft Defender for Key Vault must be enabled on subscriptions.", "Id": "SubscriptionCore950", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Microsoft Defender for Key Vault must be enabled on subscriptions.", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure Defender enables advanced threat detection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_Config_MDC_Defender_Plans", "Tags": [ "Baseline", "Automated", "AuthZ", "SubscriptionCore" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Microsoft Defender for Key Vault must be enabled", "Description": "Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence.<br>Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.<br>Important: Protections from this plan are charged as shown on the <b>Defender plans</b> page. If you don't have any key vaults in this subscription, you won't be charged. If you later create key vaults on this subscription, they'll automatically be protected and charges will begin.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_Subscription_Config_Defender_ResourceManager_KR51", "Description": "[KR51] Microsoft Defender for Resource Manager must be enabled on subscriptions.", "Id": "SubscriptionCore960", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Microsoft Defender for Resource Manager must be enabled on subscriptions.", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure Defender enables advanced threat detection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_Config_MDC_Defender_Plans", "Tags": [ "Baseline", "Automated", "AuthZ", "SubscriptionCore" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Microsoft Defender for Resource Manager must be enabled", "Description": "Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_Subscription_Config_Defender_AppService_KR51", "Description": "[KR51] Microsoft Defender for App Service must be enabled on subscriptions.", "Id": "SubscriptionCore970", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Microsoft Defender for App Service must be enabled on subscriptions.", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure Defender enables advanced threat detection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_Config_MDC_Defender_Plans", "Tags": [ "Baseline", "Automated", "AuthZ", "SubscriptionCore" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Microsoft Defender for App Service must be enabled", "Description": "Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.<br>Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.<br><br>Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.<br>If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_Subscription_AuthZ_Use_Only_Alt_Credentials", "Description": "Use Alternate (SC-ALT, SAS-ALT) accounts to access Azure roles on subscription and resource groups", "Id": "SubscriptionCore320", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNonAlternateAccounts", "DisplayName": "Use Alternate (SC-ALT, SAS-ALT) accounts to access Azure roles on subscription and resource groups", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Go to Azure portal -> Privileged Identity Management -> Azure Resources -> Select the scope -> Members-> Eligible roles and verify the non alternate accounts. Ensure that only alternate accounts are used as members of critical roles in the subscription. Do not use day to day user accounts.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "AllowedPIMRoles": { "Subscription": [ "Azure Front Door Domain Contributor", "Azure Front Door Domain Reader", "Azure Front Door Profile Reader", "Azure Front Door Secret Contributor", "Azure Front Door Secret Reader", "Defender for Storage Data Scanner", "AzureML Compute Operator", "Cognitive Services Usages Reader", "Key Vault Crypto Service Release User", "ServiceAdministrator", "CoAdministrator", "AccountAdministrator", "ServiceAdministrator;AccountAdministrator", "ServiceAdministrator;CoAdministrator", "CoAdministrator;AccountAdministrator", "CoAdministrator;ServiceAdministrator", "AccountAdministrator;ServiceAdministrator", "AccountAdministrator;CoAdministrator" ], "ResourceGroup": [ "Azure Front Door Domain Contributor", "Azure Front Door Domain Reader", "Azure Front Door Profile Reader", "Azure Front Door Secret Contributor", "Azure Front Door Secret Reader", "Defender for Storage Data Scanner", "AzureML Compute Operator", "Cognitive Services Usages Reader", "Key Vault Crypto Service Release User" ] }, "SasAltAccount": { "SasAltRegex": "@sas.ms$" } }, "Enabled": true, "Rationale": "The regular / day to day use accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g., browsing the web, clicking on email links, etc.). A user account that gets compromised (say via a phishing attack) immediately subjects the entire cloud subscription to risk if it is a member of critical roles in the subscription. Use of smartcard-backed alternate (SC-ALT) accounts instead protects the cloud subscriptions from this risk. Moreover, for complete protection, all sensitive access must be done using a secure admin workstation (SAW) and Azure Privileged Identity Management (PIM).", "CustomTags": [ "Daily", "SN:Sub_SC-ALT" ] }, { "ControlID": "Azure_Subscription_AuthZ_Configure_Conditional_Access_for_PIM", "Description": "Enable policy to require PIM elevation from SAW for Azure roles in Azure subscriptions", "Id": "SubscriptionCore283", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPIMCATag", "DisplayName": "Enable policy to require PIM elevation from SAW for Azure roles in Azure subscriptions", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "To configure Conditional Access Policy, refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings. **Note:** Follow the same steps for 'Owner', 'Contributor' and 'User Access Administrator' roles. To create Policy for your organization, refer https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json#create-a-conditional-access-policy.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "RequiredAcrsRule": { "claimValue": "urn:microsoft:req1,c1", "id": "AuthenticationContext_EndUser_Assignment", "ruleType": "RoleManagementPolicyAuthenticationContextRule" }, "AllowedRoles": { "Azure Front Door Domain Contributor": "0ab34830-df19-4f8c-b84e-aa85b8afa6e8", "Azure Front Door Domain Reader": "0f99d363-226e-4dca-9920-b807cf8e1a5f", "Azure Front Door Profile Reader": "662802e2-50f6-46b0-aed2-e834bacc6d12", "Azure Front Door Secret Contributor": "3f2eb865-5811-4578-b90a-6fc6fa0df8e5", "Azure Front Door Secret Reader": "0db238c4-885e-4c4f-a933-aa2cef684fca", "Defender for Storage Data Scanner": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", "AzureML Compute Operator": "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", "Cognitive Services Usages Reader": "bba48692-92b0-4667-a9ad-c31c7b334ac2", "Key Vault Crypto Service Release User": "08bbd89e-9f13-488c-ac41-acfcb10c90ab" } }, "Enabled": true, "Rationale": "By using Conditional Access policies for privileged roles, you can apply the right access controls to make sure certain requirements are met before the end user gets access to the resource", "CustomTags": [ "Daily", "SN:Subscription_PIM_SAW" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_CSPM", "Description": "Microsoft Defender CSPM must be enabled on subscriptions", "Id": "SubscriptionCore991", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [] }, "DisplayName": "Microsoft Defender CSPM should be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender CSPM provides advanced security posture capabilities including agentless vulnerability scanning, data-aware security posture, the cloud security graph, and advanced threat hunting.", "Recommendation": "To enable Microsoft Defender CSPM on your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Defender CSPM' to 'On'", "Tags": [ "SDL", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "CloudPosture", "DisplayName": "Defender CSPM", "ReqMDCExtensions": [ "SensitiveDataDiscovery", "ContainerRegistriesVulnerabilityAssessments", "AgentlessDiscoveryForKubernetes", "AgentlessVmScanning", "EntraPermissionsManagement" ] } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_AppService", "Description": "Microsoft Defender for App Service must be enabled on subscriptions", "Id": "SubscriptionCore993", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [] }, "DisplayName": "Microsoft Defender for App Service must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.", "Recommendation": "To enable this plan on all App Services in your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'App Service' to 'On'", "Tags": [ "SDL", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "AppServices", "DisplayName": "App Service" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:Defender_AppService", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_Databases", "Description": "Microsoft Defender for Databases must be enabled on subscriptions", "Id": "SubscriptionCore994", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [] }, "DisplayName": "Microsoft Defender for Databases must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender for Databases allows you to protect your entire database estate with attack detection and threat response for the most popular database types in Azure. Defender for Cloud provides protection for the database engines and for data types, according to their attack surface and security risks.", "Recommendation": "To enable this plan on all Databases in your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Databases' to 'On'. This will enable this plan for 'Azure SQL Databases', 'SQL servers on machines', 'Open-source relational databases' and 'Azure Cosmos DB'.", "Tags": [ "SDL", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "SqlServers", "DisplayName": "Azure SQL Databases" }, { "Type": "SqlServerVirtualMachines", "DisplayName": "SQL servers on machines" }, { "Type": "OpenSourceRelationalDatabases", "DisplayName": "Open-source relational databases" }, { "Type": "CosmosDbs", "DisplayName": "Azure Cosmos DB" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:Defender_Databases" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_Storage", "Description": "Microsoft Defender for Storage must be enabled on subscriptions", "Id": "SubscriptionCore995", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [] }, "DisplayName": "Microsoft Defender for Storage must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.", "Recommendation": "To enable this plan on all Azure Storage accounts in your subscription:From Defender for Cloud's 'Environment settings' page, select the relevant subscription. In the 'Defender plans' page, set 'Storage' to 'On'.", "Tags": [ "SDL", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "StorageAccounts", "DisplayName": "Storage", "ReqMDCSubPlan": "DefenderForStorageV2" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:Defender_Storage" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_Container", "Description": "Microsoft Defender for Containers must be enabled on subscriptions", "Id": "SubscriptionCore996", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [] }, "DisplayName": "Microsoft Defender for Containers must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. You can use this information to quickly remediate security issues and improve the security of your containers.", "Recommendation": "To enable this plan on all containers in your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Containers' to 'On'", "Tags": [ "SDL", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "Containers", "DisplayName": "Containers" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:Defender_Containers" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_KeyVault", "Description": "Microsoft Defender for Key Vault must be enabled on subscriptions", "Id": "SubscriptionCore997", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [] }, "DisplayName": "Microsoft Defender for Key Vault must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence. Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.", "Recommendation": "To enable this plan on all key vaults in your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Key Vault' to 'On'", "Tags": [ "SDL", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "KeyVaults", "DisplayName": "Key Vault" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:Defender_KeyVault", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_ResourceManager", "Description": "Microsoft Defender for Resource Manager must be enabled on subscriptions", "Id": "SubscriptionCore998", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [] }, "DisplayName": "Microsoft Defender for Resource Manager must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity.", "Recommendation": "To enable Microsoft Defender for Resource Manager on your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'Resource Manager' to 'On'", "Tags": [ "SDL", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "Arm", "DisplayName": "Resource Manager" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:Defender_ResourceManager", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_API", "Description": "Microsoft Defender for API Management must be enabled on subscriptions", "Id": "SubscriptionCore999", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [] }, "DisplayName": "Microsoft Defender for API Management should be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Defender for APIs helps you gain visibility into business-critical APIs. You can investigate and improve security posture, prioritize vulnerability fixes, and detect against the top OWASP API threats.", "Recommendation": "To enable this plan for all APIs in your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'APIs' to 'On'", "Tags": [ "SDL", "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "Api", "DisplayName": "APIs" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_Subscription_SI_Ensure_Registered_in_ServiceTree", "Description": "Ensure Azure subscriptions are registered in Service Tree", "Id": "SubscriptionCore120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckIsSubRegisteredinServiceTree", "DisplayName": "Ensure Azure subscriptions are registered in Service Tree", "Category": "Security Hygiene best practices", "ControlRequirements": "Subscription must be registered in service tree with atleast one PM Owner role and one Dev owner role", "Rationale": "Subscriptions must be registered in Service tree with atleast one PM Owner role and one Dev Owner role defined as a security hygiene practice.", "Recommendation": "Please follow the security standards as per your Organization policy.", "Tags": [ "SDL", "SI", "Automated", "SubscriptionCore", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:Register_Subscriptions_in_Service_Tree" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_Servers", "Description": "Microsoft Defender for Servers must be enabled on subscriptions", "Id": "SubscriptionCore992", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderForServer", "ControlScanSource": "Reader", "DisplayName": "Microsoft Defender for Servers must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.", "Recommendation": "To enable this plan on all servers in your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription. In the 'Defender plans' page, set 'Servers' to 'On'. Go to 'Settings' and enable 'Vulnerability assessment for machines' and 'Endpoint protection' components.", "Tags": [ "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "VirtualMachines", "DisplayName": "Servers" } ], "EndpointProtectionExtensionName": "WDATP", "VulnerabilityAssessmentProvider": "MdeTvm", "VulnerabilityAssessmentType": "Microsoft.Security/serverVulnerabilityAssessmentsSettings" }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Daily", "TenantBaseline", "TBv14", "SN:Defender_Servers" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_NonAllowed_Broad_Groups", "Description": "Restrict access to non-allowed broad groups across all scopes", "Id": "SubscriptionCore150", "DisplayName": "Restrict access to non-allowed broad groups across all scopes", "Category": "Least access requirement to non-allowed broad groups at subscription, resource groups and resources", "ControlRequirements": "Access by non-allowed broad groups must be explicitly restricted at all scopes (subscription, resource groups, and resources) to ensure compliance with security and least privilege principles.", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNonAllowedGroupRBAC", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "NonAllowedGroupsObjectIds": [ "9bac80e6-7dac-4b2d-913b-2f6da8093c01" ] }, "Enabled": true, "Rationale": "Any broad group having access on any resource could lead to unintentional access through group membership", "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_Subscription_Config_Enable_MicrosoftDefender_AIWorkloads", "Description": "Microsoft Defender for AI workloads must be enabled on subscriptions", "Id": "SubscriptionCore1010", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderWithReaderLogic", "ControlScanSource": "Reader", "DisplayName": "Microsoft Defender for AI workloads must be enabled on subscriptions", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Microsoft Defender for AI workloads provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. This information can be used to quickly remediate security issues and enhance the security of your AI workloads.", "Recommendation": "To enable this plan on all AI workloads in your subscription: From Defender for Cloud's 'Environment settings' page, select the relevant subscription --> In the 'Defender plans' page, set 'AI workloads' to 'On' --> After enabling the AI Workloads plan, locate the 'Settings' option under AI Workloads --> Toggle the 'Enable user prompt evidence' option to 'On'", "Tags": [ "Automated", "Config", "SubscriptionCore", "Baseline" ], "Enabled": true, "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "AI", "DisplayName": "AI workloads", "ReqMDCExtensions": [ "AIPromptEvidence" ] } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "Daily" ] } ] } |